Difference between revisions of "PKI ACME Responder"

From Dogtag
Jump to: navigation, search
m (See Also)
m (Overview)
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
= Overview =
 
= Overview =
  
This page describes the procedure to install ACME responder being developed for PKI 10.8.
+
This page describes the procedure to install PKI ACME responder.
  
The development branch is available at:
+
Demo: https://acme.demo.dogtagpki.org/acme/directory.
  
* https://github.com/edewata/pki/commits/acme
+
Development branch: https://github.com/edewata/pki/commits/acme.
 +
 
 +
Availability: PKI 10.9
  
 
= Installation =
 
= Installation =
Line 13: Line 15:
 
* [[Configuring ACME Responder]]
 
* [[Configuring ACME Responder]]
  
= Certificate Enrollment =
+
= Usage =
 
 
Note that certbot does not accept self-signed CA certificate,
 
so the operations below are executed with plain HTTP URLs.
 
 
 
== Certificate Enrollment with HTTP-01 ==
 
 
 
To request a certificate with automatic http-01 validation:
 
 
 
<pre>
 
$ certbot certonly --standalone \
 
    --server http://$HOSTNAME:8080/acme/directory \
 
    -d $HOSTNAME \
 
    --preferred-challenges http \
 
    --register-unsafely-without-email
 
</pre>
 
 
 
To request a certificate with manual http-01 validation:
 
 
 
<pre>
 
$ certbot certonly --manual \
 
    --server http://$HOSTNAME:8080/acme/directory \
 
    -d $HOSTNAME \
 
    --preferred-challenges http \
 
    --register-unsafely-without-email
 
</pre>
 
 
 
Make sure the web server is set up properly:
 
 
 
<pre>
 
$ curl http://$HOSTNAME/.well-known/acme-challenge/<token>
 
</pre>
 
 
 
== Certificate Enrollment with DNS-01 ==
 
 
 
To request a certificate with manual dns-01 validation:
 
 
 
<pre>
 
$ certbot certonly --manual \
 
    --server http://$HOSTNAME:8080/acme/directory \
 
    -d server.example.com \
 
    --preferred-challenges dns \
 
    --register-unsafely-without-email
 
</pre>
 
 
 
To request a wildcard certificate with manual dns-01 validation:
 
 
 
<pre>
 
$ certbot certonly --manual \
 
    --server http://$HOSTNAME:8080/acme/directory \
 
    -d *.example.com \
 
    --preferred-challenges dns \
 
    --register-unsafely-without-email
 
</pre>
 
 
 
Make sure the TXT record is created properly:
 
 
 
<pre>
 
$ dig _acme-challenge.server.example.com TXT
 
</pre>
 
 
 
The certificate will be stored at /etc/letsencrypt/live/server.example.com/cert.pem.
 
 
 
To inspect the certificate:
 
 
 
<pre>
 
$ openssl x509 -text -noout -in /etc/letsencrypt/live/server.example.com/cert.pem
 
</pre>
 
 
 
= Certificate Revocation =
 
 
 
To revoke with ACME account:
 
 
 
<pre>
 
$ certbot revoke \
 
    --server http://$HOSTNAME:8080/acme/directory \
 
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem
 
</pre>
 
 
 
To revoke with private key:
 
 
 
<pre>
 
$ certbot revoke \
 
    --server http://$HOSTNAME:8080/acme/directory \
 
    --cert-path /etc/letsencrypt/live/server.example.com/cert.pem \
 
    --key-path /etc/letsencrypt/live/server.example.com/privkey.pem
 
</pre>
 
 
 
See also:
 
 
 
* [https://letsencrypt.org/docs/revoking/ Revoking certificates]
 
 
 
= Account Management =
 
 
 
== Creating an Account ==
 
 
 
To create an ACME account:
 
 
 
<pre>
 
$ certbot register \
 
    --server http://$HOSTNAME:8080/acme/directory \
 
    -m admin@example.com \
 
    --agree-tos
 
</pre>
 
 
 
== Updating Account ==
 
 
 
To update an ACME account:
 
 
 
<pre>
 
$ certbot update_account --server http://$HOSTNAME:8080/acme/directory \
 
    -m admin@example.com
 
</pre>
 
 
 
== Deactivating an Account ==
 
 
 
To deactivate an ACME account:
 
  
<pre>
+
* [https://github.com/dogtagpki/pki/blob/master/docs/user/acme/Using_ACME_Responder.md Using ACME Responder]
$ certbot unregister --server http://$HOSTNAME:8080/acme/directory
 
</pre>
 
  
 
= See Also =
 
= See Also =

Revision as of 19:36, 29 June 2020

Overview

This page describes the procedure to install PKI ACME responder.

Demo: https://acme.demo.dogtagpki.org/acme/directory.

Development branch: https://github.com/edewata/pki/commits/acme.

Availability: PKI 10.9

Installation

Usage

See Also